DOE CODE / / Cyote-attack Chain Estimator

Cyote-attack Chain Estimator

Full Project

For questions about obtaining this software, please contact agradmin@inl.gov.

Abstract

Attack Chain Estimator (ACE) Application Overview The Attack Chain Estimator (ACE) Application is a sophisticated tool designed for the ingestion, classification, sequencing, and enrichment of cybersecurity threat reports. This application leverages advanced machine learning models and extensive historical data to provide comprehensive insights into cyber threats, specifically targeting Industrial Control Systems (ICS). Purpose The primary functions of the ACE Application include: Ingestion of Cybersecurity Threat Reporting: Capable of ingesting text-based threat reports in markdown or text file format. Supports ingestion of structured data from other sources in STIX/JSON format. Classification of Report’s Text-Based Events: Utilizes a DeBERTa classifier, specifically trained on cybersecurity data, to map the events to MITRE ATT&CK for ICS Tactics and Techniques. Classification is performed using multiple Jupyter notebooks and machine learning workflows hosted as FastAPI microservices: regex_data deberta_base_35_train_hft_classifier_mlflow.ipynb hft_regex_classifier_mlflow.ipynb param_train_hft_classifier_mlflow.ipynb regex_tactic_tech.ipynb Ordering of Tactics, Techniques, and Observable Events: Sequences the identified tactics, techniques, and events to form a coherent attack chain. Enrichment with Historical Attack Chain Details: Enhances the attack chain with details from historical attacks using a Markov model developed from CyOTE Precursor Analysis Report data. The Markov model is available as a FastAPI endpoint for seamless integration. Enrichment with Adversary Emulation Capabilities Data: Integrates adversary emulation capabilities data using MITRE Caldera for OT adversary abilities UUIDs. Export of Output Files: Provides options to export the enriched attack chain More>>

Developers:

Paul, Tony ^[1] ; Bowman, Scott ^[1] ; Pluth, Adam ^[1] ;

^[1] ; Marx, Bradley ^[1] ; Ramos, Edward ^[1] ; Wen, Shaw ^[1] ; Biggs, Brandon ^[1]

Idaho National Laboratory (INL), Idaho Falls, ID (United States)

Release Date:: 2026-02-12

Project Type:: Closed Source

Software Type:: Scientific

Programming Languages:: q React, Typescript, Vite, TailwindCSS, and DaisyUI

Sponsoring Org.:: USDOE Office of Nuclear Energy (NE)

Primary Award/Contract Number:

AC07-05ID14517

Code ID:: 179109

Research Org.:: Idaho National Laboratory (INL), Idaho Falls, ID (United States)

Country of Origin:: United States

For questions about obtaining this software, please contact agradmin@inl.gov.

Citation Formats

Paul, Tony, Bowman, Scott T., Pluth, Adam J., Quach, Anna T., Marx, Bradley E., Ramos, Edward A., Wen, Shaw X., and Biggs, Brandon S. Cyote-attack Chain Estimator. Computer Software. USDOE Office of Nuclear Energy (NE). 12 Feb. 2026. Web. doi:10.11578/dc.20260413.3.

Paul, Tony, Bowman, Scott T., Pluth, Adam J., Quach, Anna T., Marx, Bradley E., Ramos, Edward A., Wen, Shaw X., & Biggs, Brandon S. (2026, February 12). Cyote-attack Chain Estimator. [Computer software]. https://doi.org/10.11578/dc.20260413.3.

Paul, Tony, Bowman, Scott T., Pluth, Adam J., Quach, Anna T., Marx, Bradley E., Ramos, Edward A., Wen, Shaw X., and Biggs, Brandon S. "Cyote-attack Chain Estimator." Computer software. February 12, 2026. https://doi.org/10.11578/dc.20260413.3.

@misc{ doecode_179109,

title = {Cyote-attack Chain Estimator},

author = {Paul, Tony and Bowman, Scott T. and Pluth, Adam J. and Quach, Anna T. and Marx, Bradley E. and Ramos, Edward A. and Wen, Shaw X. and Biggs, Brandon S.},

abstractNote = {Attack Chain Estimator (ACE) Application Overview The Attack Chain Estimator (ACE) Application is a sophisticated tool designed for the ingestion, classification, sequencing, and enrichment of cybersecurity threat reports. This application leverages advanced machine learning models and extensive historical data to provide comprehensive insights into cyber threats, specifically targeting Industrial Control Systems (ICS). Purpose The primary functions of the ACE Application include: Ingestion of Cybersecurity Threat Reporting: Capable of ingesting text-based threat reports in markdown or text file format. Supports ingestion of structured data from other sources in STIX/JSON format. Classification of Report’s Text-Based Events: Utilizes a DeBERTa classifier, specifically trained on cybersecurity data, to map the events to MITRE ATT&CK for ICS Tactics and Techniques. Classification is performed using multiple Jupyter notebooks and machine learning workflows hosted as FastAPI microservices: regex_data deberta_base_35_train_hft_classifier_mlflow.ipynb hft_regex_classifier_mlflow.ipynb param_train_hft_classifier_mlflow.ipynb regex_tactic_tech.ipynb Ordering of Tactics, Techniques, and Observable Events: Sequences the identified tactics, techniques, and events to form a coherent attack chain. Enrichment with Historical Attack Chain Details: Enhances the attack chain with details from historical attacks using a Markov model developed from CyOTE Precursor Analysis Report data. The Markov model is available as a FastAPI endpoint for seamless integration. Enrichment with Adversary Emulation Capabilities Data: Integrates adversary emulation capabilities data using MITRE Caldera for OT adversary abilities UUIDs. Export of Output Files: Provides options to export the enriched attack chain in JSON or CSV formats. Routing of Output to Other Applications: Facilitates routing of output to various platforms and applications, including: Threat Intelligence Platforms COREII Scout for Threat Intelligence Analysis COREII Modeling and Simulation for Adversary Emulation Technical Description The ACE Application is an advanced cybersecurity tool designed to provide detailed threat analysis and sequence generation. It is built on a robust architecture that integrates natural language processing, machine learning, and historical data modeling. Key Components: Data Ingestion Module: Handles the input of threat reports and data from various formats, ensuring flexibility in data sources. Classification Engine: Employs DeBERTa-based classifiers hosted as FastAPI microservices to analyze and classify threat report events in accordance with the MITRE ATT&CK framework for ICS. Sequence Generator: Orders the classified events into a logical attack chain, providing clear insight into the sequence of tactics and techniques used in the threat. Enrichment Engine: Integrates historical data and adversary emulation capabilities to enhance the attack chain with valuable context and additional details. The historical data enrichment is powered by a Markov model, which is available as a FastAPI endpoint. Export and Routing Module: Facilitates the export of the enriched attack chain in multiple formats and routes the output to designated applications for further analysis or emulation.},

doi = {10.11578/dc.20260413.3},

url = {https://doi.org/10.11578/dc.20260413.3},

howpublished = {[Computer Software] \url{https://doi.org/10.11578/dc.20260413.3}},

year = {2026},

month = {feb}

}

RESOURCE

SAVE / SHARE

Abstract

RESOURCE

SAVE / SHARE

Citation Formats